[Plugin: WP Minify] CHMOD 777 a security risk?

  • WP-Minify requires one PHP file and one folder to be permanently set to chmod 777.

    Isn’t this supposed to represent an unacceptable security risk?

    It’s the only plugin I know that requires chmod 777 except for a short time during installation.

    Someone please explain.

Viewing 7 replies - 1 through 7 (of 7 total)

  • Indeed 777 or 666 will always be risky.
    The developer of this plugin should find a way to make WP-Minify work without requiring write access permanently. It’s really a BAD IDEA!

    it’s only risky if the host server security bites

    Thread Starter jfl1

    (@jfl1)

    Samuel B,

    WordPress was created for writers/bloggers. It makes little sense to me to expect the typical WordPress user to be able to tell if his host’s server is secure enough to compensate for an unsecure plugin.

    And what if someone’s server is not secure enough? Will the user be able to convince his host to upgrade server security in order for him to be able to use chmod 777 safely? With my current host, this kind of request would quickly take the form of a earful of bad language against WordPress (I’m switching to more WordPress-friendly host next week, by the way).

    It seems to me that expecting too much from both users and hosts can only mean negative consequences for WordPress.

    Spelling out in the plugin instructions what is required to make the plugin safe would be a minimum, woudln’t it?

    I’m not a programmer, just a user that got some strong warnings about chmod 666 and 777 drilled into him and is now very puzzled.

    @jfl1

    Check my article (step2) on wp minfiy. I hope you find it helpful:

    https://arindamchakraborty.com/optimizing-your-wordpress-blog

    I have since switched to another plugin (a bit better than wp minify IMO), but the case is same: it also requires you to provide world-writable access to the cache directory. Only exception is the autooptimize plugin which can do the cache for you with just 755 permissions but the catch is that you NEED to use wp super cache with it (if you don’t, then you would need to provide 777 permission to the cache folder).

    Instead of opening the barn doors with CHMOD 777 it is both more secure and somewhat more logic to make the directory in question writable by the server by setting the “owner” of that directory via CHOWN command to “server” or “php-user”. But that usually can’t be done with an FTP client like FileZilla. You have to do the change in your providers WebFTP.

    Hey Andreas,

    Your suggestion sounds interesting. I suppose you can only run CHOWN commands via SSH? Or is there any “easier” way to do this?

    Sorry, but I don’t even know what SSH is. I’m using the web ftp interface my provider offers. There it is quite handy to make wp-content (and any plugin directories and config-files), .htaccess and wp-config writable by the server just by changing the owner of the file or directory. If I leave the files “owned” by the ftp user (i.e., me) and CHMOD them 777 any wizkid (that know about SSH and whatnot) can flood my server with child pornography or muffin recipes.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘[Plugin: WP Minify] CHMOD 777 a security risk?’ is closed to new replies.